From 5a89ba7242fd1864f7f16825225215bd06d1dd36 Mon Sep 17 00:00:00 2001 From: Joseph Richard Date: Wed, 22 Jul 2020 16:30:56 -0400 Subject: [PATCH] Patch in fixes for blocking portieris issues Specifically, these two issues are blocking using portieris app with starlingx: * https://github.com/IBM/portieris/issues/51 * https://github.com/IBM/portieris/issues/59 Once these fixes are included in a published release of portieris, drop this patch and rebase to the latest release. Story: 2007348 Task: 40434 Change-Id: I14d0e5664333c5080440b9fd156c66a317444563 Signed-off-by: Joseph Richard --- portieris-helm/centos/portieris-helm.spec | 3 + .../centos/portieris.stable_docker_image | 1 + ...0001-Squash-required-portieris-fixes.patch | 1296 +++++++++++++++++ 3 files changed, 1300 insertions(+) create mode 100644 portieris-helm/files/0001-Squash-required-portieris-fixes.patch diff --git a/portieris-helm/centos/portieris-helm.spec b/portieris-helm/centos/portieris-helm.spec index 4962b68..67f6e51 100644 --- a/portieris-helm/centos/portieris-helm.spec +++ b/portieris-helm/centos/portieris-helm.spec @@ -26,6 +26,8 @@ Source2: index.yaml BuildArch: noarch +Patch01: 0001-Squash-required-portieris-fixes.patch + BuildRequires: helm BuildRequires: chartmuseum @@ -34,6 +36,7 @@ StarlingX portieris charts %prep %setup -n portieris +%patch01 -p1 %build # Host a server for the charts diff --git a/portieris-helm/centos/portieris.stable_docker_image b/portieris-helm/centos/portieris.stable_docker_image index 1ec9b19..0bba1fc 100644 --- a/portieris-helm/centos/portieris.stable_docker_image +++ b/portieris-helm/centos/portieris.stable_docker_image @@ -2,3 +2,4 @@ BUILDER=docker LABEL=portieris DOCKER_REPO=https://github.com/IBM/portieris.git DOCKER_REF=0.7.0 +DOCKER_PATCHES="../files/0001-Squash-required-portieris-fixes.patch" diff --git a/portieris-helm/files/0001-Squash-required-portieris-fixes.patch b/portieris-helm/files/0001-Squash-required-portieris-fixes.patch new file mode 100644 index 0000000..b71b0cf --- /dev/null +++ b/portieris-helm/files/0001-Squash-required-portieris-fixes.patch @@ -0,0 +1,1296 @@ +From 42bd348d6a6b656d62dc436313b4dd2d8c838993 Mon Sep 17 00:00:00 2001 +From: Joseph Richard +Date: Thu, 23 Jul 2020 15:45:17 -0400 +Subject: [PATCH] Squash required portieris fixes + +Add fixes for these issues to portieris build: + * https://github.com/IBM/portieris/issues/51 + * https://github.com/IBM/portieris/issues/59 + +This should be rebased once those issues are fixed in a published +release of portieris. + +Signed-off-by: Joseph Richard +--- + CHANGELOG.md | 23 +++ + README.md | 19 ++- + cmd/trust/main.go | 8 +- + helm/cleanup.sh | 7 +- + helm/portieris/gencerts | 10 +- + .../delete-admission-webhooks.yaml | 2 +- + .../templates/admission-webhooks/webhooks.yaml | 8 +- + helm/portieris/templates/clusterrole.yaml | 7 +- + helm/portieris/templates/clusterrolebinding.yaml | 3 + + .../templates/crd-creation/configmap.yaml | 3 + + .../templates/crd-creation/create-crds.yaml | 2 +- + .../templates/crd-creation/delete-crds.yaml | 6 +- + helm/portieris/templates/default/policies.yaml | 76 +++++---- + helm/portieris/templates/deployment.yaml | 8 +- + helm/portieris/templates/secret.yaml | 26 ++- + .../templates/securitycontextconstraint.yaml | 43 +++++ + helm/portieris/templates/service.yaml | 2 +- + helm/portieris/templates/serviceaccount.yaml | 3 + + helm/portieris/values.yaml | 53 ++++-- + helpers/image/image.go | 7 + + helpers/oauth/header.go | 178 +++++++++++++++++++++ + helpers/oauth/oauth.go | 85 ++++++++-- + pkg/controller/multi/notary_test.go | 16 +- + pkg/registry/fakeregistry/fakeregistry.go | 27 ++-- + pkg/registry/registry.go | 12 +- + pkg/verifier/trust/verifier.go | 87 +++++++++- + 26 files changed, 598 insertions(+), 123 deletions(-) + create mode 100644 CHANGELOG.md + create mode 100644 helm/portieris/templates/securitycontextconstraint.yaml + create mode 100644 helpers/oauth/header.go + +diff --git a/CHANGELOG.md b/CHANGELOG.md +new file mode 100644 +index 0000000..0c93f86 +--- /dev/null ++++ b/CHANGELOG.md +@@ -0,0 +1,23 @@ ++# Change Log ++ ++Notable changes recorded here. ++This project adheres to [Semantic Versioning](http://semver.org/). ++ ++# 0.7.1 ++## 2020-06-xx ++ ++* Fix the port name in service template ([PR#149](https://github.com/IBM/portieris/pull/149)) ++* Change the default namespace to portieris ([#117](https://github.com/IBM/portieris/issues/117)) ++* Support Helm3 and Openshift 4 ([#130](https://github.com/IBM/portieris/pull/130)) ++* anti-affinity and liveness/readiness probes ([#66](https://github.com/IBM/portieris/issues/66)) ++* Support sourcing webhook certificates from cert-manager ([#59](https://github.com/IBM/portieris/issues/59)) ++ ++# 0.7.0 ++## 2020-06-09 ++ ++* Support for reading simple signatures from lookaside storage, ([#93](https://github.com/IBM/portieris/issues/93)) ++ ++# 0.6.0 ++## 2020-03-26 ++ ++* Support for the verification of simple signatures using [containers/image](https://github.com/containers/image). ([#70](https://github.com/IBM/portieris/issues/70)) +diff --git a/README.md b/README.md +index b417d36..af69444 100644 +--- a/README.md ++++ b/README.md +@@ -29,18 +29,27 @@ Portieris' Admission Webhook is configured to fail closed. Three instances of Po + + ## Installing Portieris + +-Portieris is installed using a Helm chart. Before you begin, make sure that you have Kubernetes 1.9 or above, and Helm 2.8 or above (not Helm 3.x) installed in your cluster. ++Portieris is installed using a Helm chart. Before you begin, make sure that you have Kubernetes 1.16 or above and Helm 3.0 or above installed on your workstation. + +-To install Portieris: ++To install Portieris in the default namespace (portieris): + + * Clone the Portieris Git repository to your workstation. + * Change directory into the Portieris Git repository. +-* Run `./helm/portieris/gencerts `. The `gencerts` script generates new SSL certificates and keys for Portieris. Portieris presents this certificates to the Kubernetes API server when the API server makes admission requests. If you do not generate new certificates, it could be possible for an attacker to spoof Portieris in your cluster. +-* Run `helm upgrade --install portieris --set namespace= helm/portieris`. ++* Run `./helm/portieris/gencerts`. The `gencerts` script generates new SSL certificates and keys for Portieris. Portieris presents this certificates to the Kubernetes API server when the API server makes admission requests. If you do not generate new certificates, it could be possible for an attacker to spoof Portieris in your cluster. ++* Run `kubectl create namespace portieris` ++* Run `helm install portieris helm/portieris`. ++ ++To use an alternative namespace: ++* Run `./helm/portieris/gencerts `. ++* Run `kubectl create namespace `. ++* Run `helm install portieris --set namespace= helm/portieris`. ++ ++To manage certificates through installed cert-manager(https://cert-manager.io/): ++* Run `helm install portieris --set UseCertManager=true helm/portieris`. + + ## Uninstalling Portieris + +-You can uninstall Portieris at any time by running `helm delete --purge portieris`. Note that all your image security policies are deleted when you uninstall Portieris. ++You can uninstall Portieris at any time by running `helm delete portieris`. Note that all your image security policies are deleted when you uninstall Portieris. + + ## Image security policies + +diff --git a/cmd/trust/main.go b/cmd/trust/main.go +index e07daa4..4295842 100644 +--- a/cmd/trust/main.go ++++ b/cmd/trust/main.go +@@ -77,13 +77,13 @@ func main() { + glog.Fatal("Could not get trust client", err) + } + +- serverCert, err := ioutil.ReadFile("/etc/certs/serverCert.pem") ++ serverCert, err := ioutil.ReadFile("/etc/certs/tls.crt") + if err != nil { +- glog.Fatal("Could not read /etc/certs/serverCert.pem", err) ++ glog.Fatal("Could not read /etc/certs/tls.crt", err) + } +- serverKey, err := ioutil.ReadFile("/etc/certs/serverKey.pem") ++ serverKey, err := ioutil.ReadFile("/etc/certs/tls.key") + if err != nil { +- glog.Fatal("Could not read /etc/certs/serverKey.pem", err) ++ glog.Fatal("Could not read /etc/certs/tls.key", err) + } + + cr := registryclient.NewClient() +diff --git a/helm/cleanup.sh b/helm/cleanup.sh +index 89dd681..06b69a8 100755 +--- a/helm/cleanup.sh ++++ b/helm/cleanup.sh +@@ -1,9 +1,9 @@ + #! /bin/bash + + RELEASE_NAME=${1:-portieris} +-NAMESPACE=${2:-ibm-system} ++NAMESPACE=${2:-portieris} + +-echo Purging release ${RELEASE_NAME} in ${NAMESPACE} ++echo Deleting release ${RELEASE_NAME} in ${NAMESPACE} + + kubectl delete MutatingWebhookConfiguration image-admission-config --ignore-not-found=true + kubectl delete ValidatingWebhookConfiguration image-admission-config --ignore-not-found=true +@@ -12,6 +12,5 @@ kubectl delete crd clusterimagepolicies.securityenforcement.admission.cloud.ibm. + + kubectl delete jobs -n ${NAMESPACE} create-admission-webhooks create-armada-image-policies create-crds validate-crd-creation --ignore-not-found=true + +-helm delete --purge ${RELEASE_NAME} ++helm delete ${RELEASE_NAME} --no-hooks + +-kubectl delete jobs -n ${NAMESPACE} delete-admission-webhooks delete-crds --ignore-not-found=true +diff --git a/helm/portieris/gencerts b/helm/portieris/gencerts +index 3e1c724..d1dc2fa 100755 +--- a/helm/portieris/gencerts ++++ b/helm/portieris/gencerts +@@ -3,7 +3,7 @@ + SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" + + SERVICE_NAME=portieris +-NAMESPACE=${1:-ibm-system} ++NAMESPACE=${1:-portieris} + + echo "Using $SERVICE_NAME as the service name" + echo "Using $NAMESPACE as the namespace" +@@ -26,12 +26,12 @@ EOF + + # Create a certificate authority + openssl genrsa -out $CERT_DIR/caKey.pem 2048 +-openssl req -x509 -new -nodes -key $CERT_DIR/caKey.pem -days 100000 -out $CERT_DIR/caCert.pem -subj "/CN=${SERVICE_NAME}_ca" ++openssl req -x509 -new -nodes -key $CERT_DIR/caKey.pem -days 100000 -out $CERT_DIR/ca.crt -subj "/CN=${SERVICE_NAME}_ca" + + # Create a server certiticate +-openssl genrsa -out $CERT_DIR/serverKey.pem 2048 ++openssl genrsa -out $CERT_DIR/tls.key 2048 + # Note the CN is the DNS name of the service of the webhook. +-openssl req -new -key $CERT_DIR/serverKey.pem -out $CERT_DIR/server.csr -subj "/CN=${SERVICE_NAME}.${NAMESPACE}.svc" -config $CERT_DIR/server.conf +-openssl x509 -req -in $CERT_DIR/server.csr -CA $CERT_DIR/caCert.pem -CAkey $CERT_DIR/caKey.pem -CAcreateserial -out $CERT_DIR/serverCert.pem -days 100000 -extensions v3_req -extfile $CERT_DIR/server.conf ++openssl req -new -key $CERT_DIR/tls.key -out $CERT_DIR/server.csr -subj "/CN=${SERVICE_NAME}.${NAMESPACE}.svc" -config $CERT_DIR/server.conf ++openssl x509 -req -in $CERT_DIR/server.csr -CA $CERT_DIR/ca.crt -CAkey $CERT_DIR/caKey.pem -CAcreateserial -out $CERT_DIR/tls.crt -days 100000 -extensions v3_req -extfile $CERT_DIR/server.conf + + rm $CERT_DIR/caKey.pem $CERT_DIR/server.conf $CERT_DIR/server.csr +diff --git a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml +index 35a3812..ce34927 100644 +--- a/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml ++++ b/helm/portieris/templates/admission-webhooks/delete-admission-webhooks.yaml +@@ -5,7 +5,7 @@ metadata: + namespace: {{ .Values.namespace }} + annotations: + helm.sh/hook: pre-delete +- helm.sh/hook-weight: "-10" ++ helm.sh/hook-weight: "-8" + helm.sh/hook-delete-policy: hook-succeeded + labels: + app: {{ template "portieris.name" . }} +diff --git a/helm/portieris/templates/admission-webhooks/webhooks.yaml b/helm/portieris/templates/admission-webhooks/webhooks.yaml +index caee941..0f013a0 100644 +--- a/helm/portieris/templates/admission-webhooks/webhooks.yaml ++++ b/helm/portieris/templates/admission-webhooks/webhooks.yaml +@@ -3,6 +3,10 @@ apiVersion: admissionregistration.k8s.io/v1beta1 + kind: MutatingWebhookConfiguration + metadata: + name: image-admission-config ++ {{ if .Values.UseCertManager }} ++ annotations: ++ cert-manager.io/inject-ca-from: {{ .Values.namespace }}/portieris-certs ++ {{ end }} + namespace: {{ .Values.namespace }} + labels: + app: {{ template "portieris.name" . }} +@@ -16,7 +20,9 @@ webhooks: + name: {{ template "portieris.name" . }} + namespace: {{ .Values.namespace }} + path: "/admit" +- caBundle: {{ .Files.Get "certs/caCert.pem" | b64enc }} ++ {{ if not .Values.UseCertManager }} ++ caBundle: {{ .Files.Get "certs/ca.crt" | b64enc }} ++ {{ end }} + rules: + - operations: [ "CREATE", "UPDATE" ] + apiGroups: ["*"] +diff --git a/helm/portieris/templates/clusterrole.yaml b/helm/portieris/templates/clusterrole.yaml +index 2090543..67c5912 100644 +--- a/helm/portieris/templates/clusterrole.yaml ++++ b/helm/portieris/templates/clusterrole.yaml +@@ -7,10 +7,13 @@ metadata: + chart: {{ template "portieris.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} ++ annotations: ++ helm.sh/hook: pre-install ++ helm.sh/hook-weight: "-10" + rules: + - apiGroups: ["securityenforcement.admission.cloud.ibm.com"] + resources: ["imagepolicies", "clusterimagepolicies"] +- verbs: ["get", "watch", "list", "create"] ++ verbs: ["get", "watch", "list", "create", "patch"] + - apiGroups: ["apiextensions.k8s.io"] + resources: ["customresourcedefinitions"] + verbs: ["get", "create", "delete"] +@@ -19,4 +22,4 @@ rules: + verbs: ["get", "create", "delete"] + - apiGroups: [""] + resources: ["secrets", "serviceaccounts"] +- verbs: ["get"] +\ No newline at end of file ++ verbs: ["get"] +diff --git a/helm/portieris/templates/clusterrolebinding.yaml b/helm/portieris/templates/clusterrolebinding.yaml +index 3468bb0..0bfdac7 100644 +--- a/helm/portieris/templates/clusterrolebinding.yaml ++++ b/helm/portieris/templates/clusterrolebinding.yaml +@@ -7,6 +7,9 @@ metadata: + chart: {{ template "portieris.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} ++ annotations: ++ helm.sh/hook: pre-install ++ helm.sh/hook-weight: "-9" + roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole +diff --git a/helm/portieris/templates/crd-creation/configmap.yaml b/helm/portieris/templates/crd-creation/configmap.yaml +index 5c185af..0cdeb40 100644 +--- a/helm/portieris/templates/crd-creation/configmap.yaml ++++ b/helm/portieris/templates/crd-creation/configmap.yaml +@@ -8,6 +8,9 @@ metadata: + chart: {{ template "portieris.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} ++ annotations: ++ helm.sh/hook: pre-install ++ helm.sh/hook-weight: "-7" + data: + custom-resource-definitions.yaml: |- + {{- include "crds.yaml.tpl" . | indent 4}} +diff --git a/helm/portieris/templates/crd-creation/create-crds.yaml b/helm/portieris/templates/crd-creation/create-crds.yaml +index 7be3d51..3ac36f6 100644 +--- a/helm/portieris/templates/crd-creation/create-crds.yaml ++++ b/helm/portieris/templates/crd-creation/create-crds.yaml +@@ -4,7 +4,7 @@ metadata: + name: create-crds + namespace: {{ .Values.namespace }} + annotations: +- helm.sh/hook: post-install ++ helm.sh/hook: pre-install + helm.sh/hook-weight: "-6" + helm.sh/hook-delete-policy: hook-succeeded + labels: +diff --git a/helm/portieris/templates/crd-creation/delete-crds.yaml b/helm/portieris/templates/crd-creation/delete-crds.yaml +index 7313d23..9080511 100644 +--- a/helm/portieris/templates/crd-creation/delete-crds.yaml ++++ b/helm/portieris/templates/crd-creation/delete-crds.yaml +@@ -4,8 +4,8 @@ metadata: + name: delete-crds + namespace: {{ .Values.namespace }} + annotations: +- helm.sh/hook: pre-delete +- helm.sh/hook-weight: "-9" ++ helm.sh/hook: post-delete ++ helm.sh/hook-weight: "-8" + helm.sh/hook-delete-policy: hook-succeeded + labels: + app: {{ template "portieris.name" . }} +@@ -40,4 +40,4 @@ spec: + configMap: + name: image-policy-crds + restartPolicy: OnFailure +- +\ No newline at end of file ++ +diff --git a/helm/portieris/templates/default/policies.yaml b/helm/portieris/templates/default/policies.yaml +index d9dc0e7..f47fa8f 100644 +--- a/helm/portieris/templates/default/policies.yaml ++++ b/helm/portieris/templates/default/policies.yaml +@@ -2,73 +2,79 @@ + apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 + kind: ImagePolicy + metadata: +- name: portieris-default-image-policy ++ name: default + namespace: {{ .Values.namespace }} + annotations: + helm.sh/hook: post-install + helm.sh/hook-weight: "1" + spec: + repositories: +- # This policy allows all images to be deployed into this namespace. This policy prevents breaking any existing third party applications in this namespace. +- # IMPORTANT: Review this policy and replace it with one that meets your requirements. If you do not run any third party applications in this namespace, you can remove this policy entirely. +- - name: "*" +- policy: +- {{ if .Values.IBMContainerService }} +- # These policies allow all IBM Cloud Container Service images from the global and all regional registries to deploy in this namespace. +- # IMPORTANT: When you create your own policy in this namespace, make sure to include these repositories. If you do not, the cluster might not function properly. +- - name: "*.icr.io/armada/*" +- policy: +- - name: "*.icr.io/armada-worker/*" +- policy: +- - name: "*.icr.io/armada-master/*" +- policy: +- {{ end }} +- # This policy prevents Portieris from blocking itself +- - name: "{{ .Values.image.host }}/{{ .Values.image.image }}:{{ .Values.image.tag }}" +- policy: +- # This policy allows Portieris to use Hyperkube to configure your cluster. This policy must exist if you uninstall Portieris. ++ # This policy prevents Portieris from denying its own updates. Do not remove this policy or portieris may not function correctly. ++ - name: "{{ .Values.image.host | default "docker.io/ibmcom" }}/{{ .Values.image.image }}:{{ .Values.image.tag }}" ++ # This policy allows Portieris to use Hyperkube to configure your cluster. This policy must exist if order to uninstall Portieris. + - name: "{{ .Values.hyperkube.repository }}:{{ .Values.hyperkube.tag }}" +- policies: +- + --- + apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 + kind: ImagePolicy + metadata: +- name: portieris-default-image-policy ++ name: default + namespace: kube-system + annotations: + helm.sh/hook: post-install + helm.sh/hook-weight: "1" + spec: + repositories: +- # This policy allows all images to be deployed into this namespace. This policy prevents breaking any existing third party applications in this namespace. +- # IMPORTANT: Review this policy and replace it with one that meets your requirements. If you do not run any third party applications in this namespace, you can remove this policy entirely. ++ # This permissive policy allows all images to be deployed into this namespace. ++ # IMPORTANT: Review this policy and replace it with one that meets your requirements. + - name: "*" +- policy: + {{ if .Values.IBMContainerService }} +- # These policies allow all IBM Cloud Container Service images from the global and all regional registries to deploy in this namespace. +- # IMPORTANT: When you create your own policy in this namespace, make sure to include these repositories. If you do not, the cluster might not function properly. ++ # These policies allow all IBM Cloud Container Service images to deploy in this namespace. ++ # IMPORTANT: When you create your own policy in this namespace, be sure to retain these policies. If you do not, the cluster might not update or function properly. ++ - name: "registry*.bluemix.net/armada/*" ++ - name: "registry*.bluemix.net/armada-worker/*" ++ - name: "registry*.bluemix.net/armada-master/*" + - name: "*.icr.io/armada/*" +- policy: + - name: "*.icr.io/armada-worker/*" +- policy: + - name: "*.icr.io/armada-master/*" +- policy: ++ - name: "icr.io/armada/*" ++ - name: "icr.io/armada-worker/*" ++ - name: "icr.io/armada-master/*" + {{ end }} + --- ++{{ if .Values.IBMContainerService }} ++apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 ++kind: ImagePolicy ++metadata: ++ name: default ++ namespace: ibm-system ++ annotations: ++ helm.sh/hook: post-install ++ helm.sh/hook-weight: "1" ++spec: ++ repositories: ++ # These policies allow all IBM Cloud Container Service images to deploy in this namespace. ++ # IMPORTANT: When you create your own policy in this namespace, make sure to retain these policies. If you do not, the cluster might not update or function properly. ++ - name: "registry*.bluemix.net/armada/*" ++ - name: "registry*.bluemix.net/armada-worker/*" ++ - name: "registry*.bluemix.net/armada-master/*" ++ - name: "*.icr.io/armada/*" ++ - name: "*.icr.io/armada-worker/*" ++ - name: "*.icr.io/armada-master/*" ++ - name: "icr.io/armada/*" ++ - name: "icr.io/armada-worker/*" ++ - name: "icr.io/armada-master/*" ++--- ++{{ end }} + apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1 + kind: ClusterImagePolicy + metadata: +- name: portieris-default-cluster-image-policy ++ name: default + annotations: + helm.sh/hook: post-install + helm.sh/hook-weight: "1" + spec: + repositories: +- # This enforces that all images deployed to this cluster pass trust ++ # This permissive policy allows all images in namespaces which do not have an ImagePolicy. + # IMPORTANT: Review this policy and replace it with one that meets your requirements. + - name: "*" +- policy: +- trust: +- enabled: true + {{ end }} +diff --git a/helm/portieris/templates/deployment.yaml b/helm/portieris/templates/deployment.yaml +index 977b6c3..b72c599 100644 +--- a/helm/portieris/templates/deployment.yaml ++++ b/helm/portieris/templates/deployment.yaml +@@ -17,7 +17,7 @@ spec: + template: + metadata: + labels: +- app: {{ template "portieris.name" . }} ++ app: portieris + release: {{ .Release.Name }} + spec: + serviceAccountName: portieris +@@ -38,11 +38,15 @@ spec: + port: 8000 + path: "/health/liveness" + scheme: HTTPS ++ initialDelaySeconds: 10 ++ timeoutSeconds: 10 + readinessProbe: + httpGet: + port: 8000 + path: "/health/readiness" + scheme: HTTPS ++ initialDelaySeconds: 10 ++ timeoutSeconds: 10 + env: + resources: + {{ toYaml .Values.resources | indent 12 }} +@@ -59,7 +63,7 @@ spec: + {{ toYaml . | indent 8 }} + {{- end }} + securityContext: +- runAsUser: 1000060001 ++ runAsUser: {{ .Values.securityContext.runAsUser }} + volumes: + - name: portieris-certs + secret: +diff --git a/helm/portieris/templates/secret.yaml b/helm/portieris/templates/secret.yaml +index 0f5b038..f14fa24 100644 +--- a/helm/portieris/templates/secret.yaml ++++ b/helm/portieris/templates/secret.yaml +@@ -1,4 +1,25 @@ + {{ if not .Values.SkipSecretCreation }} ++{{ if .Values.UseCertManager }} ++apiVersion: cert-manager.io/v1alpha2 ++kind: Issuer ++metadata: ++ name: portieris ++ namespace: {{ .Values.namespace }} ++spec: ++ selfSigned: {} ++--- ++apiVersion: cert-manager.io/v1alpha2 ++kind: Certificate ++metadata: ++ name: portieris-certs ++ namespace: {{ .Values.namespace }} ++spec: ++ dnsNames: ++ - portieris.{{ .Values.namespace }}.svc ++ secretName: portieris-certs ++ issuerRef: ++ name: portieris ++{{ else }} + apiVersion: v1 + kind: Secret + metadata: +@@ -6,6 +27,7 @@ metadata: + namespace: {{ .Values.namespace }} + type: Opaque + data: +- serverCert.pem: {{ .Files.Get "certs/serverCert.pem" | b64enc }} +- serverKey.pem: {{ .Files.Get "certs/serverKey.pem" | b64enc }} ++ tls.crt: {{ .Files.Get "certs/tls.crt" | b64enc }} ++ tls.key: {{ .Files.Get "certs/tls.key" | b64enc }} ++{{ end }} + {{ end }} +diff --git a/helm/portieris/templates/securitycontextconstraint.yaml b/helm/portieris/templates/securitycontextconstraint.yaml +new file mode 100644 +index 0000000..3890ddb +--- /dev/null ++++ b/helm/portieris/templates/securitycontextconstraint.yaml +@@ -0,0 +1,43 @@ ++{{ if .Capabilities.APIVersions.Has "clusterversions.config.openshift.io" }} ++apiVersion: security.openshift.io/v1 ++kind: SecurityContextConstraints ++metadata: ++ annotations: ++ kubernetes.io/description: anyuid provides all features of the restricted SCC but allows users to run with any UID and any GID. ++ helm.sh/hook: pre-install ++ helm.sh/hook-weight: "1" ++ name: anyuid-portieris ++allowHostDirVolumePlugin: false ++allowHostIPC: false ++allowHostNetwork: false ++allowHostPID: false ++allowHostPorts: false ++allowPrivilegeEscalation: true ++allowPrivilegedContainer: false ++allowedCapabilities: [] ++defaultAddCapabilities: [] ++fsGroup: ++ type: RunAsAny ++groups: ++- system:cluster-admins ++priority: 10 ++readOnlyRootFilesystem: false ++requiredDropCapabilities: ++- MKNOD ++runAsUser: ++ type: MustRunAs ++ uid: {{ .Values.securityContext.runAsUser }} ++seLinuxContext: ++ type: MustRunAs ++supplementalGroups: ++ type: RunAsAny ++users: ++- system:serviceaccount:portieris:portieris ++volumes: ++- configMap ++- downwardAPI ++- emptyDir ++- persistentVolumeClaim ++- projected ++- secret ++{{ end }} +diff --git a/helm/portieris/templates/service.yaml b/helm/portieris/templates/service.yaml +index bb3d2e9..8e25eca 100644 +--- a/helm/portieris/templates/service.yaml ++++ b/helm/portieris/templates/service.yaml +@@ -14,7 +14,7 @@ spec: + - port: {{ .Values.service.port }} + targetPort: {{ .Values.service.targetPort }} + protocol: TCP +- name: http ++ name: https + selector: + app: {{ template "portieris.name" . }} + release: {{ .Release.Name }} +diff --git a/helm/portieris/templates/serviceaccount.yaml b/helm/portieris/templates/serviceaccount.yaml +index a0b41fb..88dfa2c 100644 +--- a/helm/portieris/templates/serviceaccount.yaml ++++ b/helm/portieris/templates/serviceaccount.yaml +@@ -12,3 +12,6 @@ metadata: + chart: {{ template "portieris.chart" . }} + release: {{ .Release.Name }} + heritage: {{ .Release.Service }} ++ annotations: ++ helm.sh/hook: pre-install ++ helm.sh/hook-weight: "-7" +diff --git a/helm/portieris/values.yaml b/helm/portieris/values.yaml +index b75dc61..8b1a13e 100644 +--- a/helm/portieris/values.yaml ++++ b/helm/portieris/values.yaml +@@ -3,7 +3,7 @@ + # Declare variables to be passed into your templates. + + replicaCount: 3 +-namespace: ibm-system ++namespace: portieris + + image: + host: +@@ -17,29 +17,56 @@ service: + port: 443 + targetPort: 8000 + ++securityContext: ++ runAsUser: 1000060001 ++ + # If not running on IBM Cloud Container Service set to false + IBMContainerService: true + + # If managing portieris-certs secret externally + SkipSecretCreation: false + +-resources: {} +- # We usually recommend not to specify default resources and to leave this as a conscious +- # choice for the user. This also increases chances charts run on environments with little +- # resources, such as Minikube. If you do want to specify resources, uncomment the following +- # lines, adjust them as necessary, and remove the curly braces after 'resources:'. +- # limits: +- # cpu: 100m +- # memory: 128Mi +- # requests: +- # cpu: 100m +- # memory: 128Mi ++# If using cert-manager to handle secrets ++UseCertManager: false ++ ++# Resoures defined to assist scheduling ++# request is typical x10, limit is typical x100 ++resources: ++ limits: ++ cpu: 400m ++ memory: 600Mi ++ requests: ++ cpu: 40m ++ memory: 60Mi + + nodeSelector: {} + + tolerations: [] + +-affinity: {} ++# Affinity settings ++# the `podAntiAffinity` defined here results in the distribution of pods over nodes where possible ++# intended to improve availability in the face of node and zone instability, reducing the potential of admission deadlock ++affinity: ++ podAntiAffinity: ++ preferredDuringSchedulingIgnoredDuringExecution: ++ - podAffinityTerm: ++ labelSelector: ++ matchExpressions: ++ - key: app ++ operator: In ++ values: ++ - portieris ++ topologyKey: "kubernetes.io/hostname" ++ weight: 50 ++ - podAffinityTerm: ++ labelSelector: ++ matchExpressions: ++ - key: app ++ operator: In ++ values: ++ - portieris ++ topologyKey: "failure-domain.beta.kubernetes.io/zone" ++ weight: 50 + + # Not recommended for user to configure this. Hyperkube image to use when creating custom resources + hyperkube: +diff --git a/helpers/image/image.go b/helpers/image/image.go +index 8ae59b4..9da3eaa 100644 +--- a/helpers/image/image.go ++++ b/helpers/image/image.go +@@ -31,6 +31,7 @@ type Reference struct { + digest string + hostname string + port string ++ repo string + } + + // NewReference parses the image name and returns an error if the name is invalid. +@@ -50,6 +51,7 @@ func NewReference(name string) (*Reference, error) { + return nil, err + } + result.name = ref.Name() ++ result.repo = reference.Path(ref) + + // Get the hostname + hostname := reference.Domain(ref) +@@ -142,3 +144,8 @@ func (r Reference) NameWithoutTag() string { + func (r Reference) String() string { + return r.original + } ++ ++// RepoName returns the image name without the tag and doesn't contain the server/host detals. ++func (r Reference) RepoName() string { ++ return r.repo ++} +diff --git a/helpers/oauth/header.go b/helpers/oauth/header.go +new file mode 100644 +index 0000000..b7a385b +--- /dev/null ++++ b/helpers/oauth/header.go +@@ -0,0 +1,178 @@ ++// Copyright 2018 Portieris Authors. ++// ++// Licensed under the Apache License, Version 2.0 (the "License"); ++// you may not use this file except in compliance with the License. ++// You may obtain a copy of the License at ++// ++// http://www.apache.org/licenses/LICENSE-2.0 ++// ++// Unless required by applicable law or agreed to in writing, software ++// distributed under the License is distributed on an "AS IS" BASIS, ++// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++// See the License for the specific language governing permissions and ++// limitations under the License. ++ ++package oauth ++ ++import ( ++ "net/http" ++ "strings" ++) ++ ++// Challenge carries information from a WWW-Authenticate response header. ++// See RFC 2617. ++type Challenge struct { ++ // Scheme is the auth-scheme according to RFC 2617 ++ Scheme string ++ ++ // Parameters are the auth-params according to RFC 2617 ++ Parameters map[string]string ++} ++ ++// Octet types from RFC 2616. ++type octetType byte ++ ++var octetTypes [256]octetType ++ ++const ( ++ isToken octetType = 1 << iota ++ isSpace ++) ++ ++func init() { ++ // OCTET = ++ // CHAR = ++ // CTL = ++ // CR = ++ // LF = ++ // SP = ++ // HT = ++ // <"> = ++ // CRLF = CR LF ++ // LWS = [CRLF] 1*( SP | HT ) ++ // TEXT = ++ // separators = "(" | ")" | "<" | ">" | "@" | "," | ";" | ":" | "\" | <"> ++ // | "/" | "[" | "]" | "?" | "=" | "{" | "}" | SP | HT ++ // token = 1* ++ // qdtext = > ++ ++ for c := 0; c < 256; c++ { ++ var t octetType ++ isCtl := c <= 31 || c == 127 ++ isChar := 0 <= c && c <= 127 ++ isSeparator := strings.ContainsRune(" \t\"(),/:;<=>?@[]\\{}", rune(c)) ++ if strings.ContainsRune(" \t\r\n", rune(c)) { ++ t |= isSpace ++ } ++ if isChar && !isCtl && !isSeparator { ++ t |= isToken ++ } ++ octetTypes[c] = t ++ } ++} ++ ++// ResponseChallenges takes in the response and it is unauthorized returns a challenge containing realm and service information ++func ResponseChallenges(resp *http.Response) []Challenge { ++ if resp.StatusCode == http.StatusUnauthorized { ++ // Parse the WWW-Authenticate Header and store the challenges ++ // on this endpoint object. ++ return parseAuthHeader(resp.Header) ++ } ++ return nil ++} ++ ++// ParseAuthHeader takes the header info from a response and gives back realm and service information ++func parseAuthHeader(header http.Header) []Challenge { ++ challenges := []Challenge{} ++ for _, h := range header[http.CanonicalHeaderKey("WWW-Authenticate")] { ++ v, p := parseValueAndParams(h) ++ if v != "" { ++ challenges = append(challenges, Challenge{Scheme: v, Parameters: p}) ++ } ++ } ++ return challenges ++} ++ ++func parseValueAndParams(header string) (value string, params map[string]string) { ++ params = make(map[string]string) ++ value, s := expectToken(header) ++ if value == "" { ++ return ++ } ++ value = strings.ToLower(value) ++ s = "," + skipSpace(s) ++ for strings.HasPrefix(s, ",") { ++ var pkey string ++ pkey, s = expectToken(skipSpace(s[1:])) ++ if pkey == "" { ++ return ++ } ++ if !strings.HasPrefix(s, "=") { ++ return ++ } ++ var pvalue string ++ pvalue, s = expectTokenOrQuoted(s[1:]) ++ if pvalue == "" { ++ return ++ } ++ pkey = strings.ToLower(pkey) ++ params[pkey] = pvalue ++ s = skipSpace(s) ++ } ++ return ++} ++ ++func skipSpace(s string) (rest string) { ++ i := 0 ++ for ; i < len(s); i++ { ++ if octetTypes[s[i]]&isSpace == 0 { ++ break ++ } ++ } ++ return s[i:] ++} ++ ++func expectToken(s string) (token, rest string) { ++ i := 0 ++ for ; i < len(s); i++ { ++ if octetTypes[s[i]]&isToken == 0 { ++ break ++ } ++ } ++ return s[:i], s[i:] ++} ++ ++func expectTokenOrQuoted(s string) (value, rest string) { ++ if !strings.HasPrefix(s, "\"") { ++ return expectToken(s) ++ } ++ s = s[1:] ++ for i := 0; i < len(s); i++ { ++ switch s[i] { ++ case '"': ++ return s[:i], s[i+1:] ++ case '\\': ++ p := make([]byte, len(s)-1) ++ j := copy(p, s[:i]) ++ escape := true ++ for i = i + 1; i < len(s); i++ { ++ b := s[i] ++ switch { ++ case escape: ++ escape = false ++ p[j] = b ++ j++ ++ case b == '\\': ++ escape = true ++ case b == '"': ++ return string(p[:j]), s[i+1:] ++ default: ++ p[j] = b ++ j++ ++ } ++ } ++ return "", "" ++ } ++ } ++ return "", "" ++} +diff --git a/helpers/oauth/oauth.go b/helpers/oauth/oauth.go +index bbfdce3..98ab65e 100644 +--- a/helpers/oauth/oauth.go ++++ b/helpers/oauth/oauth.go +@@ -73,38 +73,70 @@ func GetHTTPClient(customFile string) *http.Client { + // token - Auth token being used for the request + // repo - Repo you are requesting access too e.g. bainsy88/busybox + // username - Username for the OAuth request, identifies the type of token being passed in. Valid usernames are token (for registry token), iambearer, iamapikey, bearer (UAA bearer (legacy)), iamrefresh +-// writeAccessRequired - Whether or not you require write (push and delete) access as well as read (pull) +-// service - The service you are retrieving the OAuth token for. Current services are either "notary" or "registry" +-// hostname - Hostname of the registry you wish to call e.g. https://icr.io ++// ChallengeSlice - Challenge slice contains the www-authenticate details + // Returns: + // *auth.TokenResponse - Details of the type is here https://github.ibm.com/alchemy-registry/registry-types/tree/master/auth#type-tokenresponse + // Token is the element you will need to forward to the registry/notary as part of a Bearer Authorization Header + // error +-func Request(token string, repo string, username string, writeAccessRequired bool, service string, hostname string) (*TokenResponse, error) { +- var actions string +- //If you want to verify if a the credential supplied has read and write access to the repo we ask oauth for pull,push and * +- if writeAccessRequired { +- actions = "pull,push,*" +- } else { +- actions = "pull" ++func Request(token, repo, username string, challengeSlice []Challenge) (*TokenResponse, error) { ++ oauthEndpoint := "" ++ service := "" ++ scope := "" ++ ++ if challengeSlice == nil { ++ errMessage := "unable to fetch www-authenticate header details" ++ glog.Errorf(errMessage) ++ return nil, fmt.Errorf(errMessage) ++ } ++ ++ for _, challenge := range challengeSlice { ++ oauthEndpoint = challenge.Parameters["realm"] ++ service = challenge.Parameters["service"] ++ scope = challenge.Parameters["scope"] ++ } ++ ++ if oauthEndpoint == "" || service == "" { ++ errMessage := "unable to fetch oauth realm and service header details" ++ glog.Errorf(errMessage) ++ return nil, fmt.Errorf(errMessage) + } + + client := GetHTTPClient("/etc/certs/ca.pem") + +- resp, err := client.PostForm(hostname+"/oauth/token", url.Values{ ++ glog.Infof("Calling oauth endpoint: %s for registry service: %s and scope %s", oauthEndpoint, service, scope) ++ var resp *http.Response ++ var err error ++ resp, err = client.PostForm(oauthEndpoint, url.Values{ + "service": {service}, + "grant_type": {"password"}, +- "client_id": {"testclient"}, ++ "client_id": {"portieris-client"}, + "username": {username}, + "password": {token}, +- "scope": {"repository:" + repo + ":" + actions}, ++ "scope": {scope}, + }) +- + if err != nil { +- glog.Errorf("Error sending request to registry-oauth: %v", err) ++ glog.Errorf("Error sending POST request to registry-oauth: %v", err) + return nil, err + } + ++ // TODO: confirm if status code of 405 needs to be handled in the below block ++ if resp.StatusCode == 404 || resp.StatusCode == 405 { ++ glog.Info("Calling: " + oauthEndpoint + "?service=" + service + "&scope=" + scope) ++ getURL, err := url.Parse(oauthEndpoint) ++ if err != nil { ++ return nil, err ++ } ++ q := getURL.Query() ++ q.Set("service", service) ++ q.Set("scope", scope) ++ getURL.RawQuery = q.Encode() ++ resp, err = client.Get(getURL.String()) ++ if err != nil { ++ glog.Errorf("Error sending GET request to registry-oauth: %v", err) ++ return nil, err ++ } ++ } ++ + if resp.StatusCode < 200 || resp.StatusCode >= 300 { + // Unexpected, read body for more information and close. It is the upstream callers + // responsibility to close the response body if an error is not returned. +@@ -125,3 +157,26 @@ func Request(token string, repo string, username string, writeAccessRequired boo + + return &tokenResponse, nil + } ++ ++// CheckAuthRequired - checks if the given image needs to be authenticated to fetch metadata or not and returns the response ++func CheckAuthRequired(notaryURL, hostName, repoName string, official bool) (*http.Response, error) { ++ glog.Infof("Notary URL: %s Hostname %s RepoName %s", notaryURL, hostName, repoName) ++ // Github issue 51 Fix ++ var req *http.Request ++ var err error ++ client := GetHTTPClient("/etc/certs/ca.pem") ++ if hostName == "docker.io" && official { ++ req, err = http.NewRequest("GET", notaryURL+"/v2/"+hostName+"/library/"+repoName+"/_trust/tuf/root.json", nil) ++ } else { ++ req, err = http.NewRequest("GET", notaryURL+"/v2/"+hostName+"/"+repoName+"/_trust/tuf/root.json", nil) ++ } ++ ++ resp, err := client.Do(req) ++ ++ if err != nil { ++ glog.Errorf("Failed to query v2 tuf endpoint for notaryURL: %s", notaryURL) ++ return nil, err ++ } ++ ++ return resp, nil ++} +diff --git a/pkg/controller/multi/notary_test.go b/pkg/controller/multi/notary_test.go +index d16c57d..9a36370 100644 +--- a/pkg/controller/multi/notary_test.go ++++ b/pkg/controller/multi/notary_test.go +@@ -276,6 +276,7 @@ var _ = Describe("Main", func() { + "policy": { + "trust": { + "enabled": true ++ "trustServer": "https://us.icr.io:4443" + }, + "va": { + "enabled": false +@@ -290,7 +291,7 @@ var _ = Describe("Main", func() { + wh.HandleAdmissionRequest(w, req) + parseResponse() + Expect(resp.Response.Allowed).To(BeFalse()) +- Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "no-secret.icr.io/hello", no valid ImagePullSecret defined for no-secret.icr.io`)) ++ Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "no-secret.icr.io/hello", no matching repositories in the ImagePolicies`)) + }) + }) + +@@ -343,7 +344,7 @@ var _ = Describe("Main", func() { + wh.HandleAdmissionRequest(w, req) + parseResponse() + Expect(resp.Response.Allowed).To(BeFalse()) +- Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "us.icr.io/hello", no valid ImagePullSecret defined for us.icr.io`)) ++ Expect(resp.Response.Result.Message).To(ContainSubstring(`Some error occurred while trying to fetch token for unauthenticated pubilc pull FAKE_INVALID_TOKEN_ERROR`)) + }) + }) + +@@ -620,7 +621,7 @@ var _ = Describe("Main", func() { + Expect(len(trust.GetNotaryRepoArgsForCall)).To(Equal(1)) + Expect(trust.GetNotaryRepoArgsForCall[0].Server).To(Equal("https://some-trust-server.com:4443")) + Expect(resp.Response.Allowed).To(BeFalse()) +- Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "us.icr.io/hello", failed to get content trust information: unable to reach trust server at this time: 0.`)) ++ Expect(resp.Response.Result.Message).To(ContainSubstring(`Some error occurred while checking if authentication is required to fetch target metadata`)) + }) + }) + +@@ -665,7 +666,7 @@ var _ = Describe("Main", func() { + "policy": { + "trust": { + "enabled": true, +- "trustServer": "https://some-trust-server.com:4443" ++ "trustServer": "https://notary.docker.io"" + }, + "va": { + "enabled": false +@@ -683,8 +684,8 @@ var _ = Describe("Main", func() { + wh.HandleAdmissionRequest(w, req) + parseResponse() + Expect(len(trust.GetNotaryRepoArgsForCall)).To(Equal(2)) +- Expect(trust.GetNotaryRepoArgsForCall[0].Server).To(Equal("https://some-trust-server.com:4443")) +- Expect(trust.GetNotaryRepoArgsForCall[1].Server).To(Equal("https://some-trust-server.com:4443")) ++ Expect(trust.GetNotaryRepoArgsForCall[0].Server).To(Equal("https://notary.docker.io")) ++ Expect(trust.GetNotaryRepoArgsForCall[1].Server).To(Equal("https://notary.docker.io")) + Expect(resp.Response.Allowed).To(BeFalse()) + Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "us.icr.io/hello", failed to get content trust information: FAKE_NO_SIGNED_IMAGE_ERROR`)) + Expect(resp.Response.Result.Message).To(ContainSubstring(`Deny "us.icr.io/goodbye", failed to get content trust information: FAKE_NO_SIGNED_IMAGE_ERROR`)) +@@ -739,6 +740,7 @@ var _ = Describe("Main", func() { + "policy": { + "trust": { + "enabled": true ++ "trustServer": "https://notary.docker.io" + }, + "va": { + "enabled": false +@@ -770,7 +772,7 @@ var _ = Describe("Main", func() { + Expect(len(trust.GetNotaryRepoArgsForCall)).To(Equal(2)) + Expect(trust.GetNotaryRepoArgsForCall[0].Server).To(Equal("https://us.icr.io:4443")) + Expect(trust.GetNotaryRepoArgsForCall[0].Image).To(Equal("us.icr.io/hello")) +- Expect(trust.GetNotaryRepoArgsForCall[1].Server).To(Equal("https://some-trust-server.com:4443")) ++ Expect(trust.GetNotaryRepoArgsForCall[1].Server).To(Equal("https://notary.docker.io")) + Expect(trust.GetNotaryRepoArgsForCall[1].Image).To(Equal("icr.io/goodbye")) + Expect(resp.Response.Allowed).To(BeFalse()) + }) +diff --git a/pkg/registry/fakeregistry/fakeregistry.go b/pkg/registry/fakeregistry/fakeregistry.go +index 2e9d97e..342be8c 100644 +--- a/pkg/registry/fakeregistry/fakeregistry.go ++++ b/pkg/registry/fakeregistry/fakeregistry.go +@@ -18,6 +18,7 @@ import ( + "fmt" + "sync" + ++ "github.com/IBM/portieris/helpers/oauth" + "github.com/IBM/portieris/pkg/registry" + ) + +@@ -25,13 +26,13 @@ var _ registry.Interface = &FakeRegistry{} + + // FakeRegistry . + type FakeRegistry struct { +- GetContentTrustTokenStub func(username, password, imageRepo, hostname string) (string, error) ++ GetContentTrustTokenStub func(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) + getContentTrustTokenMutex sync.RWMutex + getContentTrustTokenArgsForCall []struct { +- username string +- password string +- imageRepo string +- hostname string ++ username string ++ password string ++ imageRepo string ++ challengeSlice []oauth.Challenge + } + getContentTrustTokenReturns struct { + token string +@@ -40,17 +41,17 @@ type FakeRegistry struct { + } + + // GetContentTrustToken ... +-func (fake *FakeRegistry) GetContentTrustToken(username, password, imageRepo, hostname string) (string, error) { ++func (fake *FakeRegistry) GetContentTrustToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) { + fake.getContentTrustTokenMutex.Lock() + fake.getContentTrustTokenArgsForCall = append(fake.getContentTrustTokenArgsForCall, struct { +- username string +- password string +- imageRepo string +- hostname string +- }{username, password, imageRepo, hostname}) ++ username string ++ password string ++ imageRepo string ++ challengeSlice []oauth.Challenge ++ }{username, password, imageRepo, challengeSlice}) + fake.getContentTrustTokenMutex.Unlock() + if fake.GetContentTrustTokenStub != nil { +- return fake.GetContentTrustTokenStub(username, password, imageRepo, hostname) ++ return fake.GetContentTrustTokenStub(username, password, imageRepo, challengeSlice) + } + return fake.getContentTrustTokenReturns.token, fake.getContentTrustTokenReturns.err + } +@@ -66,6 +67,6 @@ func (fake *FakeRegistry) GetContentTrustTokenReturns(token string, err error) { + } + + // GetRegistryToken ... +-func (fake *FakeRegistry) GetRegistryToken(username, password, imageRepo, hostname string) (string, error) { ++func (fake *FakeRegistry) GetRegistryToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) { + return "", fmt.Errorf("not implemented") + } +diff --git a/pkg/registry/registry.go b/pkg/registry/registry.go +index 375de38..febaa69 100644 +--- a/pkg/registry/registry.go ++++ b/pkg/registry/registry.go +@@ -23,8 +23,8 @@ type Client struct{} + + // Interface . + type Interface interface { +- GetContentTrustToken(username, password, imageRepo, hostname string) (string, error) +- GetRegistryToken(username, password, imageRepo, hostname string) (string, error) ++ GetContentTrustToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) ++ GetRegistryToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) + } + + // NewClient . +@@ -33,8 +33,8 @@ func NewClient() Interface { + } + + // GetContentTrustToken . +-func (c Client) GetContentTrustToken(username, password, imageRepo, hostname string) (string, error) { +- token, err := oauth.Request(password, imageRepo, username, false, "notary", hostname) ++func (c Client) GetContentTrustToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) { ++ token, err := oauth.Request(password, imageRepo, username, challengeSlice) + if err != nil { + return "", err + } +@@ -42,8 +42,8 @@ func (c Client) GetContentTrustToken(username, password, imageRepo, hostname str + } + + // GetRegistryToken . +-func (c Client) GetRegistryToken(username, password, imageRepo, hostname string) (string, error) { +- token, err := oauth.Request(password, imageRepo, username, false, "registry", hostname) ++func (c Client) GetRegistryToken(username, password, imageRepo string, challengeSlice []oauth.Challenge) (string, error) { ++ token, err := oauth.Request(password, imageRepo, username, challengeSlice) + if err != nil { + return "", err + } +diff --git a/pkg/verifier/trust/verifier.go b/pkg/verifier/trust/verifier.go +index 00aee83..7dce484 100644 +--- a/pkg/verifier/trust/verifier.go ++++ b/pkg/verifier/trust/verifier.go +@@ -17,9 +17,11 @@ package trust + import ( + "bytes" + "fmt" ++ "net/http" + "strings" + + "github.com/IBM/portieris/helpers/image" ++ "github.com/IBM/portieris/helpers/oauth" + securityenforcementv1beta1 "github.com/IBM/portieris/pkg/apis/securityenforcement/v1beta1" + "github.com/IBM/portieris/pkg/kubernetes" + "github.com/IBM/portieris/pkg/notary" +@@ -74,14 +76,61 @@ func (v *Verifier) VerifyByPolicy(namespace string, img *image.Reference, creden + } + } + ++ official := !strings.ContainsRune(img.RepoName(), '/') ++ ++ hostname := img.GetHostname() ++ port := img.GetPort() ++ if port != "" { ++ port = ":" + port ++ } ++ repo := hostname + port ++ ++ resp, err := oauth.CheckAuthRequired(notaryURL, repo, img.RepoName(), official) ++ if err != nil { ++ glog.Error(err) ++ return nil, nil, fmt.Errorf("Some error occurred while checking if authentication is required to fetch target metadata") ++ } ++ ++ if resp.StatusCode == http.StatusUnauthorized { ++ glog.Infof("Need to get token for %s to fetch target metadata", notaryURL) ++ } else if resp.StatusCode == http.StatusOK { ++ glog.Infof("No need to fetch token for %s to get the target metadata", notaryURL) ++ } else { ++ glog.Infof("Status code: %v was returned", resp.StatusCode) ++ return nil, nil, fmt.Errorf("Status code: %v was returned while checking if authentication is required to fetch target metadata", resp.StatusCode) ++ } ++ ++ glog.Infof("Status code: %v returned for repo: %v", resp.StatusCode, img.NameWithoutTag()) ++ ++ var challengeSlice []oauth.Challenge ++ ++ if resp.StatusCode == http.StatusUnauthorized { ++ challengeSlice = oauth.ResponseChallenges(resp) ++ if err != nil { ++ glog.Error(err) ++ return nil, nil, fmt.Errorf("Some error occurred when fetching challenge slice %s", err.Error()) ++ } ++ } ++ + for _, cred := range credentials { +- notaryToken, err := v.cr.GetContentTrustToken(cred[0], cred[1], img.NameWithoutTag(), img.GetRegistryURL()) ++ notaryToken, err := v.cr.GetContentTrustToken(cred[0], cred[1], img.NameWithoutTag(), challengeSlice) + if err != nil { + glog.Error(err) + continue + } + +- digest, err := v.getDigest(notaryURL, img.NameWithoutTag(), notaryToken, img.GetTag(), signers) ++ // Get image digest ++ glog.Infof("getting signed image... %v", img.RepoName()) ++ // notaryToken will be blank for unauthorized calls ++ var image string ++ if official { ++ image = "docker.io/library/" + img.RepoName() ++ } else { ++ image = img.NameWithoutTag() ++ } ++ glog.Infof("Image: %v", image) ++ ++ digest, err := v.getDigest(notaryURL, image, notaryToken, img.GetTag(), signers) + if err != nil { + if strings.Contains(err.Error(), "401") { + continue +@@ -95,5 +144,37 @@ func (v *Verifier) VerifyByPolicy(namespace string, img *image.Reference, creden + } + return digest, nil, nil + } +- return nil, fmt.Errorf("Deny %q, no valid ImagePullSecret defined for %s", img.String(), img.String()), nil ++ ++ // if no credentials defined and pulling signed images from public docker ++ notaryToken, err := v.cr.GetContentTrustToken("", "", img.NameWithoutTag(), challengeSlice) ++ if err != nil { ++ glog.Error(err) ++ return nil, nil, fmt.Errorf("Some error occurred while trying to fetch token for unauthenticated pubilc pull %s", err.Error()) ++ } ++ ++ // Get image digest ++ glog.Infof("getting signed image for %v", img.RepoName()) ++ // notaryToken will be blank for unauthorized calls ++ var image string ++ if official { ++ image = "docker.io/library/" + img.RepoName() ++ } else { ++ image = img.NameWithoutTag() ++ } ++ glog.Infof("Image: %v and tag: %v", image, img.GetTag()) ++ glog.Infof("Notary URL: %v", notaryURL) ++ digest, err := v.getDigest(notaryURL, image, notaryToken, img.GetTag(), signers) ++ if err != nil { ++ glog.Infof(err.Error()) ++ if strings.Contains(err.Error(), "401") { ++ return nil, fmt.Errorf("Deny %q, no valid ImagePullSecret defined for %s", img.String(), img.String()), nil ++ } ++ ++ if _, ok := err.(store.ErrServerUnavailable); ok { ++ glog.Errorf("Trust server unavailable: %v", err) ++ return nil, nil, fmt.Errorf("Deny %q, failed to get content trust information: %s", img.String(), err.Error()) ++ } ++ return nil, fmt.Errorf("Deny %q, failed to get content trust information: %s", img.String(), err.Error()), nil ++ } ++ return digest, nil, nil + } +-- +1.8.3.1 +